After T94774, we can define password policies based on group membership.
Users in the Ombudsmen group (https://meta.wikimedia.org/wiki/Special:GlobalGroupPermissions/ombudsman) have access to checkuser data globally. An account compromise could impact the privacy of our users.
My proposal is setting an 8-byte minimum length (users will be prompted to change their password on login) in the near term, and then require 8-byte minimum passwords to login after users have had time to update their passwords.